Wardriving

7/29/2004

The Bad Karma Gang

 Agenda

Introduction to Wardriving

The Tools of Wardriving

Wardriving Green Lake

 What is War Driving?
Definition:
Driving through a neighborhood with a wireless-
enabled notebook computer in search for wireless
access points (APs)

Purpose:
Analyze Wireless LANs & show which APs are open

Product:
Wireless Access Point Map

Origin:
War dialing
 Some Results of War Driving
Wireless Access Point Maps
Wireless Internet Security Awareness
-152 networks audited-

unprotected 67.8%
netw orks

protected 32.2%
netw orks

0.0% 20.0% 40.0% 60.0% 80.0%

Nowel & Budge

-Source: Wigle.Net-

WWWD4 (World Wide War Drive) Access point

June 12-19 , 2004 Nuis House

300,000 APs submitted worldwide

WiGLE
-WiFiMaps.com-
 Legal Background
Activity Legality Law

Scan access points Not illegal

Computer Fraud and

Intentional access of a computer Illegal
Abuse Act
without authorization

Electronic
Alteration of communication on
Illegal Communications
ISP network without authorization
Protection Act
Interception of communications
Illegal
as theyre going through the air Wiretap Act
 Anatomy of a Hack
(Hacking Exposed 4th Edition)
War driving Process

Footprinting Scanning Enumeration Gaining Access

Address range, Find promising Find user accounts Informed attempts
namespace acquisition points of entry and poorly protected shares to access target

Escalating Privilege Pilfering Covering Tracks Creating Back Doors

Gain complete Gain access to Ensure ability to
Hide system privileges
control of system trusted systems regain access at will

Denial of Service
Create ability to disable target
Legal Illegal
 Possible Risks

War driving = not illegal

Beyond war driving = illegal

Encryption key cracking

Free internet access

Identity exposure and theft

Network resource utilization

Availability Confidentiality
Data theft

Denial-of-service Integrity
Other hacking activities
 Typical Wardriving Setup
GPS
Mouse

Notebook
computer

802.11 network
sniffing software (e.g. GPS
Netstumbler) Software
Display

Text to speech software

"new network found. ssid is thd-
wireless. channel 6. network open."

Power
Cable
Netstumbler Screenshot
For the thrifty and adventurous wardriver
Build a Cantenna
http://www.turnpoint.net/wireless/cantennahowto.html
 Protection of Wireless Networks

Use Wired Equivalency Privacy (WEP)

Network card encrypts payload using RC4 cipher
Receiving station decrypts upon arrival
Only works between 802.11 stations.
No longer applies once payload enters wired side of network
Users should change default password and Service Set Identifier
Users should change keys often

Physically locate access point to avoid spilling signal off premises

Install hardware or software firewall

Use passwords for sensitive folders and files

Users should perform wardriving test

Experiment: War Driving Seattle

* Doonesbury, December, 2002.

Wardriving: Been there, done that?

* War Kayaking, Summer, 2003.

War Driving Experiments
 Experiment 1: Open door
Opened SBG1000
wireless Internet
gateway
Meant to disable 16
bit encryption
Discovered traffic in
logs when home
computers off
Experiment 2: Tools of the trade

+ + = Access
 Results: Access Gained

My house
 Results
29 Available networks Only 3 required a key
in 2 short hours of any kind
All available from
parked car on
crowded streets
Colorful names for
wireless routers
hotstuff, red libre,
eatshitanddie
most use
manufacturer name
 Discussion

The Bad Karma Gang

-Social Engineer Alumni Relations-